Infrastructure Under Attack

What makes a DDoS attack different from an everyday data breach? The answer is embedded in the term: denial of service. The motive of a DDoS attack is to prevent the delivery of online services that people depend on. Financial institutions, gaming and e-commerce websites are among the top targets of DDoS attacks, as are cloud service providers that host sites or service applications for business customers. Even a brief disruption of service delivery can cost an enterprise millions in lost business, not counting the after-effects of alienated customers and reputational damage.

Because DDoS attacks and data breaches are so different in nature, conventional security infrastructure components used to combat breaches – perimeter firewalls, intrusion detection/preventions systems (IDI/IPS) and the like – are comparatively ineffective at mitigating DDoS attacks. These security products certainly have their place in a layered defense strategy, serving to protect data confidentiality and integrity. However, they fail to address the fundamental issue in DDoS attacks, namely network availability.

In fact, these components themselves are increasingly the target of DDoS attacks aimed at incapacitating them. The 13th annual Worldwide Infrastructure Security Report (WISR), NETSCOUT Arbor’s annual survey of security professionals in both the service provider and enterprise segments, uncovered a significant increase in DDoS attacks targeting infrastructure over the previous year. Among enterprise respondents, 61% had experienced attacks on network infrastructure, and 52% had firewalls or IPS devices fail or contribute to an outage during a DDoS attack. Attacks on infrastructure are less prevalent among service providers, whose customers are still the primary target of DDoS attacks. Nonetheless, 10% of attacks on service providers targeted network infrastructure and another 15% targeted service infrastructure.

Infrastructure components are particularly vulnerable to TCP State Exhaustion attacks, which attempt to consume the connection state tables (session records) used by load balancers, firewalls, IPS and application servers to identify legitimate packet traffic. Such attacks can take down even high-capacity devices capable of maintaining state on millions of connections. In the latest WISR, TCP State Exhaustion attacks accounted for nearly 12% of all attacks reported.

In spite of their vulnerability, firewalls, IPS and load-balancers remain at the top of the list of security measures organizations say they employ to mitigate DDoS attacks. Among service providers, firewalls were the second most reported DDoS mitigation option, while on the enterprise side, firewalls were the first choice of 82% of respondents. It is somewhat discouraging that some of the most popular DDoS mitigation measures are also the least effective, given the ease with which a state-based attack can overwhelm them.

On a positive note, however, the increased frequency of DDoS attacks reported in our 2016 survey appears to have driven wider adoption of Intelligent DDoS Mitigation Systems (IDMS) in 2017. About half of respondents indicated that an IDMS was now a part of perimeter protection, a sharp increase from the previous year’s 29%.

Any organization that delivers services over the web needs strong, purpose-built DDoS protection. Security experts continue to recommend as best practice a hybrid solution combining on-premise defenses and cloud-based mitigation capabilities. Specifically with regard to attacks on network infrastructure, a dedicated DDoS on-premise appliance should be deployed in front of infrastructure components to protect them from attacks and enable them to do their job unimpeded.

About the author: Tom has worked in the network and security industries for more than 20 years. During this time, he has served as a Network Engineer for large enterprises and has had roles in Sales Engineering /Management, Technical Field Marketing and Product Management at multiple network management and security vendors. Currently, as Director of DDoS Product Marketing at NETSCOUT Arbor he focuses on Arbor’s industry leading DDoS Protection Solutions.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.